CVE-2021-47390

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix stack-out-of-bounds memory access from ioapic_write_indirect() KASAN reports the following issue: BUG: KASAN: stack-out-of-bounds in kvm_make_vcpus_request_mask+0x174/0x440 [kvm] Read of size 8 at addr ffffc9001364f638 by task qemu-kvm/4798 CPU: 0 PID: 4798 Comm: qemu-kvm Tainted: G X --------- --- Hardware name: AMD Corporation DAYTONA_X/DAYTONA_X, BIOS RYM0081C 07/13/2020 Call Trace: dump_stack+0xa5/0xe6 print_address_description.constprop.0+0x18/0x130 ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm] __kasan_report.cold+0x7f/0x114 ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm] kasan_report+0x38/0x50 kasan_check_range+0xf5/0x1d0 kvm_make_vcpus_request_mask+0x174/0x440 [kvm] kvm_make_scan_ioapic_request_mask+0x84/0xc0 [kvm] ? kvm_arch_exit+0x110/0x110 [kvm] ? sched_clock+0x5/0x10 ioapic_write_indirect+0x59f/0x9e0 [kvm] ? static_obj+0xc0/0xc0 ? __lock_acquired+0x1d2/0x8c0 ? kvm_ioapic_eoi_inject_work+0x120/0x120 [kvm] The problem appears to be that 'vcpu_bitmap' is allocated as a single long on stack and it should really be KVM_MAX_VCPUS long. We also seem to clear the lower 16 bits of it with bitmap_zero() for no particular reason (my guess would be that 'bitmap' and 'vcpu_bitmap' variables in kvm_bitmap_or_dest_vcpus() caused the confusion: while the later is indeed 16-bit long, the later should accommodate all possible vCPUs).
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.15:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.15:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.15:rc3:*:*:*:*:*:*

History

30 Dec 2024, 20:01

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/2f9b68f57c6278c322793a06063181deded0ad69 - () https://git.kernel.org/stable/c/2f9b68f57c6278c322793a06063181deded0ad69 - Patch
References () https://git.kernel.org/stable/c/99a9e9b80f19fc63be005a33d76211dd23114792 - () https://git.kernel.org/stable/c/99a9e9b80f19fc63be005a33d76211dd23114792 - Patch
References () https://git.kernel.org/stable/c/bebabb76ad9acca8858e0371e102fb60d708e25b - () https://git.kernel.org/stable/c/bebabb76ad9acca8858e0371e102fb60d708e25b - Patch
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.1
CPE cpe:2.3:o:linux:linux_kernel:5.15:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.15:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.15:rc1:*:*:*:*:*:*
CWE CWE-125
First Time Linux
Linux linux Kernel

21 Nov 2024, 06:36

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: KVM: x86: corrige el acceso a la memoria de pila fuera de los límites desde ioapic_write_indirect() KASAN informa el siguiente problema: BUG: KASAN: pila fuera de los límites en kvm_make_vcpus_request_mask+ 0x174/0x440 [kvm] Lectura de tamaño 8 en la dirección ffffc9001364f638 por tarea qemu-kvm/4798 CPU: 0 PID: 4798 Comm: qemu-kvm Contaminado: GX --------- --- Nombre de hardware: AMD Corporación DAYTONA_X/DAYTONA_X, BIOS RYM0081C 13/07/2020 Seguimiento de llamadas: dump_stack+0xa5/0xe6 print_address_description.constprop.0+0x18/0x130 ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm] __kasan_report.cold+0x7f/0x114 ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm] kasan_report+0x38/0x50 kasan_check_range+0xf5/0x1d0 kvm_make_vcpus_request_mask+0x174/0x440 [kvm] 0 [kvm] ? kvm_arch_exit+0x110/0x110 [kvm] ? sched_clock+0x5/0x10 ioapic_write_indirect+0x59f/0x9e0 [kvm] ? static_obj+0xc0/0xc0? __lock_acquired+0x1d2/0x8c0? kvm_ioapic_eoi_inject_work+0x120/0x120 [kvm] El problema parece ser que 'vcpu_bitmap' está asignado como un único largo en la pila y en realidad debería ser KVM_MAX_VCPUS largo. También parece que borramos los 16 bits inferiores con bitmap_zero() sin ningún motivo en particular (supongo que las variables 'bitmap' y 'vcpu_bitmap' en kvm_bitmap_or_dest_vcpus() causaron la confusión: mientras que la última tiene 16 bits de longitud , este último debería acomodar todas las vCPU posibles).
References () https://git.kernel.org/stable/c/2f9b68f57c6278c322793a06063181deded0ad69 - () https://git.kernel.org/stable/c/2f9b68f57c6278c322793a06063181deded0ad69 -
References () https://git.kernel.org/stable/c/99a9e9b80f19fc63be005a33d76211dd23114792 - () https://git.kernel.org/stable/c/99a9e9b80f19fc63be005a33d76211dd23114792 -
References () https://git.kernel.org/stable/c/bebabb76ad9acca8858e0371e102fb60d708e25b - () https://git.kernel.org/stable/c/bebabb76ad9acca8858e0371e102fb60d708e25b -

21 May 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-05-21 15:15

Updated : 2024-12-30 20:01


NVD link : CVE-2021-47390

Mitre link : CVE-2021-47390

CVE.ORG link : CVE-2021-47390


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-125

Out-of-bounds Read